Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency jquery-ui to v1.13.2 [SECURITY] #1068

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 18, 2022

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
jquery-ui (source) 1.12.1 -> 1.13.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-41182

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

CVE-2021-41184

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

CVE-2021-41183

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

CVE-2022-31160

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.


Release Notes

jquery/jquery-ui (jquery-ui)

v1.13.2: jQuery UI 1.13.2 released

Compare Source

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

v1.13.1: jQuery UI 1.13.1 released

Compare Source

https://blog.jqueryui.com/2022/01/jquery-ui-1-13-1-released/

v1.13.0: jQuery UI 1.13.0 released

Compare Source

https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch from 8748741 to 884f993 Compare August 1, 2022 03:55
@codecov
Copy link

codecov bot commented Aug 1, 2022

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 69.28%. Comparing base (7c7357e) to head (c7bd283).

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #1068   +/-   ##
=======================================
  Coverage   69.28%   69.28%           
=======================================
  Files          59       59           
  Lines        5088     5088           
  Branches     1072     1072           
=======================================
  Hits         3525     3525           
  Misses       1536     1536           
  Partials       27       27           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 3 times, most recently from 01f44e3 to 740fee7 Compare August 10, 2022 19:54
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch from 740fee7 to be4f514 Compare August 16, 2022 00:51
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 2 times, most recently from 843cd23 to 7f74941 Compare September 6, 2022 15:39
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 7 times, most recently from 2b387aa to 2d404b8 Compare October 1, 2022 05:32
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch from 2d404b8 to 7b2fbc3 Compare October 3, 2022 05:34
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 2 times, most recently from d73a990 to bdb30f1 Compare November 18, 2022 18:29
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 3 times, most recently from 802dae6 to e0b27ea Compare December 7, 2022 05:06
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 3 times, most recently from 65ce003 to 69e9aef Compare December 15, 2022 09:41
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 2 times, most recently from 1875650 to fa336c7 Compare December 22, 2022 06:23
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 3 times, most recently from 5476b81 to 196fe1f Compare December 29, 2022 22:33
@renovate renovate bot changed the title Update dependency jquery-ui to 1.13.2 [SECURITY] Update dependency jquery-ui to 1.13.2 [SECURITY] - autoclosed Dec 31, 2022
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 2 times, most recently from 44b67b9 to f3b805e Compare February 20, 2024 19:57
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch from f3b805e to 80a12ee Compare February 29, 2024 21:36
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch from 80a12ee to 05d9fc1 Compare June 19, 2024 12:49
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 3 times, most recently from 5d0c508 to 3a6321c Compare August 30, 2024 15:37
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 3 times, most recently from 2577506 to 89fb388 Compare September 18, 2024 20:10
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 4 times, most recently from dbbf797 to 5b398e4 Compare October 3, 2024 14:32
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 5 times, most recently from f1103c7 to aa70d80 Compare October 15, 2024 18:23
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 3 times, most recently from 8651030 to c315e51 Compare November 15, 2024 19:45
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch 6 times, most recently from 6063d72 to bf01e10 Compare December 3, 2024 23:44
@renovate renovate bot force-pushed the renovate/npm-jquery-ui-vulnerability branch from bf01e10 to c7bd283 Compare December 4, 2024 06:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants